From 071e22312947d28032d68c3465779cbfe9532f55 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 15 Feb 2020 16:19:08 +0100
Subject: [PATCH] avcodec/tiff: Some checks on bpp for DNG
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

dng spec 1.5.0.0
"BitsPerSample
Supported values are from 8 to 32 bits/sample. The depth must be the same for each sample if
SamplesPerPixel is not equal to 1."

Fixes: eg_crash
Found-by: 黄宁 <tsukimurarin@163.com>
Reviewed-by: Nick Renieris <velocityra@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 3b5985ed1e..5bdcac2006 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1858,6 +1858,8 @@ again:
     }
 
     if (is_dng) {
+        int bps;
+
         if (s->white_level == 0)
             s->white_level = (1 << s->bpp) - 1; /* Default value as per the spec */
 
@@ -1866,6 +1868,12 @@ again:
                 s->black_level, s->white_level);
             return AVERROR_INVALIDDATA;
         }
+
+        if (s->bpp % s->bppcount)
+            return AVERROR_INVALIDDATA;
+        bps = s->bpp / s->bppcount;
+        if (bps < 8 || bps > 32)
+            return AVERROR_INVALIDDATA;
     }
 
     if (!s->is_tiled && !s->strippos && !s->stripoff) {